{
	"id": "9e422095-fc63-4ea7-b64e-eda45e425ca6",
	"created_at": "2026-04-06T00:14:26.244998Z",
	"updated_at": "2026-04-10T03:35:37.747144Z",
	"deleted_at": null,
	"sha1_hash": "a45779fa2d2434d636d31263bb8f736b7aec61b3",
	"title": "Deep Dive into the Elephant Framework – A New Cyber Threat in Ukraine",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1850856,
	"plain_text": "Deep Dive into the Elephant Framework – A New Cyber Threat in\r\nUkraine\r\nBy Martin Zugec\r\nPublished: 2022-04-25 · Archived: 2026-04-05 18:23:08 UTC\r\nAt the beginning of the invasion of Ukraine, we released a security advisory with recommendations based on different risk\r\ntiers. Since then, our Threat Intelligence (TI) and Managed Detection and Response (MDR) teams have been actively\r\nmonitoring the situation and identifying active threats. Not surprisingly, the highest risk group contains businesses and\r\norganizations located in Ukraine, especially government entities and critical infrastructure.\r\nOne of the groups actively engaged in pro-Russian cyber-attacks is UAC-0056. This group has been active since at least\r\nMarch 2021, and its primary objective seems to be cyber espionage with a focus on key state sectors. Other names for this\r\ngroup are Lorec53, UNC2589, EmberBear, LorecBear, BleedingBear, SaintBear, and TA471. \r\nThis group has been associated with attacks using OutSteel and GraphSteel stealers (malicious software designed to steal\r\ndata). OutSteel was written in the AutoIt language, while GraphSteel was written in the Go language (often referred to as\r\nGolang). While both languages are known for their ease of use, AutoIt is a simpler language often used by system\r\nadministrators and scripters. The behavior of Go-based GraphSteel is also more sophisticated – while its primary purpose is\r\nharvesting credentials, it is also trying to exfiltrate the most common archives and Office formats like .docx or .xlsx\r\nand locate sensitive files like .ssh , .crt , .key , .ovpn , or .json .\r\nDue to the inclusion of media files with extensions like .jpg , .png , .gif , .webp , .avi , .mkv , .mpg , .mpeg , and\r\n.3gp , GraphSteel limits its searches to files that are 50 MB or smaller. While there are certain similarities between\r\nOutSteel and GraphSteel, there is not a clear connection between them currently. The original announcement by the\r\nComputer Emergency Response Team of Ukraine (CERT-UA) regarding GraphSteel indicates an average level of certainty\r\nfor attribution to UAC-0056. \r\nFor the rest of this report, we will focus on attacks involving the use of GraphSteel malware. GraphSteel is part of the\r\nElephant Framework – a collection of tools also written in the Go language and deployed in a recent wave of phishing\r\nattacks on .gov.ua targets. Recently, three different attacks have been observed which relied on the Elephant Framework: \r\nFebruary 11th, 2022 – SentinelOne detected an attack with fake dictionary software \r\nMarch 11th, 2022 – CERT-UA reported an attack with fake antivirus software \r\nMarch 28th, 2022 – CERT-UA reported an attack with an “Unpaid wages” email subject \r\nAnatomy of an Attack\r\nIn all known Elephant Framework attacks, the spear-phishing tactic was used for initial compromise. The group\r\ndemonstrated a good knowledge of social engineering techniques, with emails originating from spoofed Ukrainian email\r\naddresses. Email subject and body would often use trending themes (COVID) or use official-looking text. \r\nIn one of the emails, the threat actor included recommendations for effective security controls after warning about\r\nintensified computer attacks by the Russian Federation, including recommendations to use email and web traffic filtering,\r\navoid the use of 3rd party DNS servers, and provide a briefing to employees about possible phishing attacks. This “helpful”\r\nemail cleverly embedded a link to a malicious payload (masquerading as a recommended antivirus tool). \r\nA few different techniques were used to execute the malicious launcher. In this example, the link to the malicious download\r\nis included in the body of the email. In other cases, an attached Excel spreadsheet with embedded macros was used. \r\nLauncher Component\r\nThere are a few different variants of launchers for GraphSteel that we have seen to date. In the case reported by\r\nSentinelOne, the downloaded launcher was a Python script converted to an executable (using pyinstaller). In the other cases,\r\nthe launcher was written in the Go language like the rest of the Elephant Framework with the launcher’s name varying\r\ndepending on the attack. \r\nWhy might threat actors choose the Go language, which is not a mainstream programming language, for this malicious\r\nsoftware? Potential reasons include: \r\nSome security vendors may struggle to detect malware written in the Go language given its less frequent use \r\nThe payload can be compiled for both Windows and Linux (without code changes) \r\nIt is easy to use and can be expanded by 3rd party modules \r\nAfter analyzing the GraphSteel code, we identified references to other community modules used by the Elephant\r\nFramework; for example, for AES cipher, generating a unique client ID, or Coldfire (a malware development framework for\r\nhttps://businessinsights.bitdefender.com/deep-dive-into-the-elephant-framework-a-new-cyber-threat-in-ukraine\r\nPage 1 of 8\n\nGolang).  \r\nThe launcher does not have the malware payload embedded – instead, it acts as a combination of a downloader and dropper.\r\nUpon execution, the launcher connects to the command and control (C\u0026C) server, downloads the malware payload encoded\r\nas base64 string, saves it to the local disk and then executes it. The address of the C\u0026C server is hardcoded in this\r\nexecutable and, in all recorded cases, the file dropped by this executable is named Java-sdk.exe .\r\nDownloader Component\r\nJava-sdk.exe acts as a downloader of the Elephant Framework and, as you probably are expecting by now, is written in\r\nthe Go language. It uses a similar technique as the launcher – first connecting to a C\u0026C server, then streams a string\r\nencoded in base64 which contains the malicious payload, saves it as an executable to disk, and executes it. The address of\r\nthe C\u0026C server is not embedded – it is provided by the launcher as a base64(AES(\u003cC\u0026C\u003e)) argument. Two different\r\nmalware files are downloaded – GraphSteel ( Microsoft-cortana.exe ) and GrimPlant ( Oracle-java.exe ) which are\r\nautomatically executed. GrimPlant is a relatively simple backdoor that allows remote execution of PowerShell commands.\r\nGraphSteel is used for data exfiltration of credentials, certificates, passwords, and other sensitive information. \r\nThis downloader component is also responsible for establishing persistence by creating a registry value Java-SDK under the\r\nregistry key HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ .  \r\nTypical flow of an attack based on the Elephant Framework\r\nThis covers our findings for the initial phase where the Elephant Framework is deployed to the compromised machine. In\r\nthe next section, we will look in more detail at the core components of the Elephant Framework, GrimPlant and GraphSteel.\r\nBoth implants are written in the Go language, comprehensive research is available from Intezer. \r\nGrimPlant (Backdoor) Component\r\nGrimPlant’s primary purpose is to allow a threat actor to execute PowerShell commands remotely. The address of the C\u0026C\r\nserver is provided by Java-sdk.exe using the command line parameter -addr . This address is not provided in plain text,\r\ninstead, it uses the same base64(AES(\u003cC\u0026C\u003e)) syntax as the downloader. \r\nCommunication with the C\u0026C server uses port 80 and is based on gRPC – an open-source Remote Procedure Call (RPC)\r\nframework, originally designed by Google. The communications are encrypted with TLS, with the certificate hardcoded in\r\nthe binary.  \r\nAfter establishing a connection to the C\u0026C server, GrimPlant sends a heartbeat message every 10 seconds. Included in the\r\nheartbeat message is information about the infected endpoint ( uploadSystemInfo function): \r\nOperating System – Hostname, operating system, number of CPUs \r\nIP Address – Runs a query to api.ipify.org to retrieve a public IP address\r\nUser Info – Name, username, HomeDir\r\nThis malware and its heartbeat message run in an infinite loop, waiting to receive commands from the C\u0026C server and\r\nexecute them using PowerShell.exe . \r\nGraphSteel (Stealer) Component\r\nhttps://businessinsights.bitdefender.com/deep-dive-into-the-elephant-framework-a-new-cyber-threat-in-ukraine\r\nPage 2 of 8\n\nGraphSteel’s primary purpose is to exfiltrate data from infected machines. The address of the C\u0026C server is retrieved using\r\nthe same method as GrimPlant. All communication is encrypted using the AES cipher on port 443. To communicate with the\r\nC\u0026C server, it uses WebSockets and the GraphQL query language. \r\nBelow are the functions used by this malware: \r\ngetFileHash() – Checks if the file has been uploaded on the server \r\ngetPublicKey() – Generates a random public key and receives a secret used to derive an AES key for subsequent\r\ncommunication \r\nuploadChunk() – Uploads files in chunks \r\nping() – Sends client ID to the C\u0026C server \r\nuploadSystemInfo() – Uploads information about the infected machine. Same implementation as GrimPlant \r\nuploadCredentials() – Uploads credentials harvested from an infected machine\r\nThe malware runs two routines to communicate with the C\u0026C server: \r\nHeartbeat every 20 seconds \r\nExfiltration routine every 20 minutes \r\nThe exfiltration routine: \r\nSends information about the infected system using the uploadSystemInfo() function \r\nExfiltrates files using uploadChunk() function \r\nFiles are exfiltrated from folders Documents , Downloads , Pictures , Desktop and from all available\r\ndrives ( D:\\ to Z:\\ ) \r\nLimited to files that are smaller than 50 MBs and have one of the following extensions: .txt, .doc, .xls,\r\n.ppt, .docx, .xlsx, .pptx, .ovpn, .ssh, .zip, .rar, .7z, .jpg, .png, .gif, .webp, .avi, .mkv,\r\n.mpg, .mpeg, .3gp, .csv, .json, .crt, .key\r\nHarvests credentials and exfiltrates them using the uploadCredentials() function. Credentials and other sensitive\r\ninformation are extracted using different methods and from various locations:\r\nWifi passwords \r\nChrome and Firefox credentials \r\nCredentials from the password vault \r\nCredentials from Windows Credentials Manager \r\nSSH sessions from Putty, Mobaxterm, openSSH, and Filezilla\r\nThunderbird\r\nExfiltration of wifi passwords is done by parsing output from netsh wlan show profiles , followed by netsh wlan show\r\nprofile name=\u003cname\u003e key=clear .  \r\nCredentials from a password vault are extracted by parsing the output from following PowerShell command: ([void]\r\n[Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime];$vault =\r\nNew-Object Windows.Security.Credentials.PasswordVault;$vault.RetrieveAll() | % { $_.RetrievePassword();$_} |\r\nSelect UserName, Resource, Password | Format-Table –HideTableHeaders  \r\nWhen one payload is not enough\r\nThe analyzed incidents mentioned in the first section of this article above are based on the Elephant Framework and use the\r\nsame kill chain, except for an incident involving a faked copy of Bitdefender software. On March 11th, 2022, a phishing\r\ncampaign was reported by CERT-UA that included instructions to download a fake Bitdefender antivirus product. \r\nhttps://businessinsights.bitdefender.com/deep-dive-into-the-elephant-framework-a-new-cyber-threat-in-ukraine\r\nPage 3 of 8\n\nThe original phishing email. Source: CERT-UA \r\nBelow is the full text of this phishing email (loosely translated from Ukrainian): \r\nAn increased number of computer attacks on information systems of Ukraine was detected since the beginning of\r\nthe armed aggression of the Russian Federation.\r\nUnder the Law of Ukraine \"On Protection of Information in Information and Telecommunication Systems\" based on\r\nthe decision of The National Security and Defense Council of Ukraine dated 06.03.2022, the State Service of\r\nSpecial Communications together with the Security Service of Ukraine, with the financial support of the\r\nGovernment of France, are taking measures to strengthen information security.\r\nTo eliminate threats to the state security of Ukraine and ensure the protection of information resources of\r\nauthorities, organizations, and institutions of all forms of ownership, the following recommendations must be\r\nfollowed:\r\nInstall additional critical security updates for the Microsoft Windows operating system with a pre-installed certified antivirus available for download from the official Bitdefender website;\r\nUse SBU-certified up-to-date antivirus on all computers;\r\nFilter incoming e-mails on the e-mail server for the presence of spam messages, as well as e-mails\r\ncontaining attachments of the following types: exe, bat, cpl, dll, jar, msi, scr, etc .;\r\nFilter incoming web traffic using content filters for social networks, entertainment sites, and other\r\npotentially dangerous resources;\r\nBrief employees on the possible \"phishing\" attacks;\r\nAvoid the use of third-party DNS servers;\r\nFamiliarize the responsible employees with the provided instructions.\r\nResponsibility for failure to comply with the above recommendations rests with the authorities, organizations,\r\nand institutions of all forms of ownership.\r\nTo organize cooperation in the investigation of computer incidents, contact the leading specialist of the\r\nState Special Service \u003cREDACTED\u003e . \r\nThe link to the “official Bitdefender website” points to the domain forkscenter[.]fr . This phishing site spoofs the\r\nwebsite bitdefender.fr , a version of the Bitdefender website localized in the French language. \r\nThe fake Bitdefender.fr website. Source: CERT-UA \r\nAll links on this fake website are downloads for the malicious file named BitdefenderWindowsUpdatePackage.exe . Both\r\nFrance and Bitdefender have publicly declared support for Ukraine, and this may be a reason why UAC-0056 chose this\r\ncontext for their phishing site since this aligns with the focus of the spear-phishing email (i.e., to protect systems further due\r\nto the heightened geopolitical environment after the invasion of Ukraine).  \r\nhttps://businessinsights.bitdefender.com/deep-dive-into-the-elephant-framework-a-new-cyber-threat-in-ukraine\r\nPage 4 of 8\n\nThis phishing campaign is also interesting due to a key difference compared to Elephant Framework deployments before and\r\nafter it. With other campaigns, the file BitdefenderWindowsUpdatePackage.exe would have likely been a launcher, only\r\nresponsible for the initial deployment of Elephant Framework. In this case, a parallel deployment was also triggered with a\r\ndifferent payload. The initial executable deployed a Discord downloader, Alt.exe , which in turn deployed two\r\nexecutables. The first is a familiar Go launcher that deployed the rest of the Elephant Framework as described earlier. The\r\nsecond executable, One.exe , is a Cobalt Strike Beacon, which deployed another Discord downloader, wisw.exe .\r\nPersistence was established by creating a startup link called BitdefenderControl.lnk , which executes wisw.exe . Finally,\r\nthe malware downloads another executable, cesdf.exe , from Discord. Unfortunately, this file is not available for analysis,\r\nas the download server was shut down. While the Elephant Framework deployment used hxxp://45[.]84.0.116:443 as the\r\nC\u0026C server, the Cobalt Strike deployment used the C\u0026C server located at nirsoft[.]me . \r\nOverview of two parallel deployments associated with the spoofed AV attack \r\nConclusion and Recommendations\r\nThe best protection against modern cyber-attacks is a defense-in-depth architecture. Start with reducing your attack surface\r\nand employing automated controls to prevent most security incidents. For the few incidents that get through your defenses,\r\nyou want to lean on security operations, either in-house or through a managed service, and leverage strong detection and\r\nresponse tools. \r\nIntegrated reputation services can stop an attack during multiple stages – from an initial phishing email, through the\r\nexecution of a previously unknown payload, through to the successful compromise and subsequent call home to a C\u0026C\r\nserver. \r\nBitdefender Threat Intelligence (TI) is such a reputation service and can be integrated with your existing security\r\ninfrastructure using the REST API. The services are platform-independent and compatible with any SIEM, SOAR, or other\r\nsecurity tools that support consuming data from 3rd party APIs. For OEM partners looking to license such a solution, we\r\ndeliver up-to-date, contextual intelligence on URLs, IPs, domains, certificates, files, Command and Control servers, and\r\nAdvanced Persistent Threats. \r\nTI is also featured in our Bitdefender Managed Detection and Response offering. Learn more about Bitdefender’s MDR\r\nService, and get to know the Bitdefender experts who work in our security operations center (SOC). \r\nhttps://businessinsights.bitdefender.com/deep-dive-into-the-elephant-framework-a-new-cyber-threat-in-ukraine\r\nPage 5 of 8\n\nIndicators of Compromise\r\nAn up-to-date and complete list of indicators of compromise is available to Bitdefender Advanced Threat Intelligence users.\r\nThe currently known indicators of compromise can be found in the table below. \r\nFiles hashes \r\nMD5  SHA256  Type/Family \r\n2e0f1315c52e8b017fb6110398b28e60  ba1066f7a47b3662b1589579c9b7100a6f275a1cd82de75b166f31e9ee913562  Go downloader \r\n8b245119a08313ede84ecda10d2b83c7  4787c415dd0114e4b709e684b3ed686aed3d0c11549427ee23083c7ba53ef0e0  GraphSteel \r\n33816414b221be4b0888ef0fbeaacb0b  6dd346a7b04f5ca6b34cb5cbbb545cbeffd50e736f3cdf71073e805eae60c136  GrimPlant \r\n9ad4a2dfd4cb49ef55f2acd320659b83  -  Discord downloader (wisw\r\nhttps://businessinsights.bitdefender.com/deep-dive-into-the-elephant-framework-a-new-cyber-threat-in-ukraine\r\nPage 6 of 8\n\nb8b7a10dcc0dad157191620b5d4e5312  b5b989f8eab271b63d8ab96d00d5fb5c41ab622e6cfde46ea62189765326af5a  BitdefenderWindowsUpda\r\n9ea3aaaeb15a074cd617ee1dfdda2c26  85c9bd53e9567ac4dc1e5caac2916f99c9e5bd5eec499b59668dfe997a574b48  GraphSteel \r\n4f11abdb96be36e3806bada5b8b2b8f8  476e95b4f194e4d3b0d580dc49bf5b552c9a34d5dcf7803dd97912719faa9d02  GrimPlant \r\nc8bf238641621212901517570e96fae7  -  Go downloader \r\n15c525b74b7251cfa1f7c471975f3f95  39b3c82b1e7e5626e380a53df4ccb52f3002749447cfab362b8ec217189a0fd5  Go downloader \r\n2fdf9f3a25e039a41e743e19550d4040  e9cb478188108533e821c71dd3dd5483ae1c27f677c7576c5046493321006bac  Discord downloader \r\naa5e8268e741346c76ebfd1f27941a14  2f92d416f73472db1ebe880b3bec677bcb1d96d6ad62974da00b4be5f6d61f5b  Contains cobaltstrike beac\r\n628f41776ae3b2e8343eeb9cdcd019f2  8e77118d819681fdc49ce3362d8bfd8f51f8469353396be7113c5a8978a171f6  GraphSteel \r\nfe63861920a3c02936b3deb0198a950f  04f76ef71d0d6f1c3da55bed846579bca8eb537643315f1196bd75c0c40cb927  GraphSteel \r\n71bc63c9635bbbdfcb6b046d68b9236e  b48232c1343515a224eeea11f267464fb500168ab19d7d3e0b217401243d3620  GrimPlant \r\ncbc0e802b7134e1d02df1f2eb1b1d1e2  4f4bbe75fb644cd83a64dbb256b5a82355b74b29cb7aa55e2a49f331a4ca02f7  GrimPlant \r\n8e0eb1742b47745ff73389673996e964  00c3bfa040aa0092f86950510885c125cbc0a90c90a38db0df0d22fd178136c0  Go downloader \r\n5495d3f64a7df1bfab353565fa97274b  72b8bfda5230dbd2a52d1ed0b6628a671aa220bea49f5c87d2eb64fb614d5722  Go downloader \r\ncde5aa217c0c1a7d2f1b9dcf9904e0ad  b79636a07b9c487878217024ab8579c17026fe334228795c34c70d5c7a302bbe  Go downloader \r\n69be9b58af0f7ff6f6f5ac72d8f7a403  7215d831898d7b8e3e195f8b8ae23b9d7859e8f51a89a5a52cde3c793a3bfe19  GraphSteel \r\ndd076c2be578d6d9419af8f39541e2cd  a7e89781b2e42488614340521dfa520bf43939a55c02a65aae0f667190cda840  GrimPlant \r\nFile names\r\nBitdefenderWindowsUpdatePackage.exe\r\nwisw.exe\r\nmicrosoft-cortana.exe\r\noracle-java.exe\r\nhttps://businessinsights.bitdefender.com/deep-dive-into-the-elephant-framework-a-new-cyber-threat-in-ukraine\r\nPage 7 of 8\n\njava-sdk.exe\r\nNetwork\r\nIP/DNS  Source \r\n212.193.30[.]106    Bitdefender research + Telemetry  \r\n136.144.41[.]177    Bitdefender research \r\n80.66.76[.]187  Intezer blog post, also Bitdefender research \r\n194.31.98[.]124    CERT-UA  \r\n91.242.229[.]35    SentinelOne  \r\n45.84.0[.]116    CERT-UA  \r\n45.140.146[.]17    Bitdefender research \r\nforkscenter [.] fr    CERT-UA; Fake BD installer download site  \r\nnirsoft [.] me    CERT-UA; Cobalt Strike beacon C\u0026C \r\n156.146.50[.]5   CERT-UA; Source IP for phishing emails \r\nWe would like to thank Bitdefender Labs team for their help with putting this report together. \r\nCONTACT AN EXPERT\r\nSource: https://businessinsights.bitdefender.com/deep-dive-into-the-elephant-framework-a-new-cyber-threat-in-ukraine\r\nhttps://businessinsights.bitdefender.com/deep-dive-into-the-elephant-framework-a-new-cyber-threat-in-ukraine\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://businessinsights.bitdefender.com/deep-dive-into-the-elephant-framework-a-new-cyber-threat-in-ukraine"
	],
	"report_names": [
		"deep-dive-into-the-elephant-framework-a-new-cyber-threat-in-ukraine"
	],
	"threat_actors": [
		{
			"id": "eecf54a2-2deb-41e5-9857-fed94a53f858",
			"created_at": "2023-01-06T13:46:39.349959Z",
			"updated_at": "2026-04-10T02:00:03.296196Z",
			"deleted_at": null,
			"main_name": "SaintBear",
			"aliases": [
				"Bleeding Bear",
				"Cadet Blizzard",
				"Nascent Ursa",
				"Nodaria",
				"Storm-0587",
				"DEV-0587",
				"Saint Bear",
				"EMBER BEAR",
				"UNC2589",
				"TA471",
				"UAC-0056",
				"FROZENVISTA",
				"Lorec53",
				"Lorec Bear"
			],
			"source_name": "MISPGALAXY:SaintBear",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c28760b2-5ec6-42ad-852f-be00372a7ce4",
			"created_at": "2022-10-27T08:27:13.172734Z",
			"updated_at": "2026-04-10T02:00:05.279557Z",
			"deleted_at": null,
			"main_name": "Ember Bear",
			"aliases": [
				"Ember Bear",
				"UNC2589",
				"Bleeding Bear",
				"DEV-0586",
				"Cadet Blizzard",
				"Frozenvista",
				"UAC-0056"
			],
			"source_name": "MITRE:Ember Bear",
			"tools": [
				"P.A.S. Webshell",
				"CrackMapExec",
				"ngrok",
				"reGeorg",
				"WhisperGate",
				"Saint Bot",
				"PsExec",
				"Rclone",
				"Impacket"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "03a6f362-cbab-4ce9-925d-306b8c937bf1",
			"created_at": "2024-11-01T02:00:52.635907Z",
			"updated_at": "2026-04-10T02:00:05.339384Z",
			"deleted_at": null,
			"main_name": "Saint Bear",
			"aliases": [
				"Saint Bear",
				"Storm-0587",
				"TA471",
				"UAC-0056",
				"Lorec53"
			],
			"source_name": "MITRE:Saint Bear",
			"tools": [
				"OutSteel",
				"Saint Bot"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "083d63b2-3eee-42a8-b1bd-54e657a229e8",
			"created_at": "2022-10-25T16:07:24.143338Z",
			"updated_at": "2026-04-10T02:00:04.879634Z",
			"deleted_at": null,
			"main_name": "SaintBear",
			"aliases": [
				"Ember Bear",
				"FROZENVISTA",
				"G1003",
				"Lorec53",
				"Nascent Ursa",
				"Nodaria",
				"SaintBear",
				"Storm-0587",
				"TA471",
				"UAC-0056",
				"UNC2589"
			],
			"source_name": "ETDA:SaintBear",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"Elephant Client",
				"Elephant Implant",
				"GraphSteel",
				"Graphiron",
				"GrimPlant",
				"OutSteel",
				"Saint Bot",
				"SaintBot",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434466,
	"ts_updated_at": 1775792137,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a45779fa2d2434d636d31263bb8f736b7aec61b3.pdf",
		"text": "https://archive.orkl.eu/a45779fa2d2434d636d31263bb8f736b7aec61b3.txt",
		"img": "https://archive.orkl.eu/a45779fa2d2434d636d31263bb8f736b7aec61b3.jpg"
	}
}